Vulnerability Myths You Should Stop Believing
September 28, 2021 • RBS
Welcome to Vulnerability Myths You Should Stop Believing, our new series where we pick apart popular security misconceptions and explain why they aren’t true.
Over the course of a decade, we have seen the vulnerability disclosure landscape shift dramatically. However, although vulnerability trends have changed over the years, a number of vulnerability “myths” persist. We’ve heard things like “you can’t give a CVSS score to a vulnerability without a CVE ID” among other things that simply aren’t true. Heard something similar? Maybe you’ll find it on our list.
That being said, let’s start debugging the first vulnerability myth:
Myth: “CVE/NVD is the official source of disclosed vulnerabilities”
The Common Vulnerabilities and Exposures (CVE) database is used by nearly every organization. That must mean that CVE is the “official” source for disclosed vulnerabilities, right? Far from it. Even though it may be the most used source of vulnerability intelligence, that doesn’t mean it’s the best.
In order to understand why this vulnerability myth is false, we need to briefly explain the vulnerability disclosure landscape before and during the early 2000s.
Times Have Changed
Back in the day, an organization could reasonably discover the majority of reported vulnerabilities using mailing lists and a handful of vendor security advisories. But before you pine for the good ole’ days, keep in mind that the number of vulnerabilities being disclosed during that time was significantly lower than today.
For the entire year of 2000, only 1,582 vulnerabilities were publicly disclosed. It wasn’t until 2012 and 2013 that the total number of disclosed vulnerabilities consistently hit above 10,000. Since then, the total number of disclosed vulnerabilities has seen tremendous growth. Nowadays, we commonly aggregate over 10,000 vulnerabilities in just six months.
Additionally, compared to the 2000s, vulnerability reporting has become much more decentralized. The astronomical amount of new technologies and software being introduced, along with the vast landscape for disclosing vulnerabilities, has made keeping up with the times a resource draining and intensive in-house task.
Not the “Official” Source
The decentralization of vulnerability reporting, coupled with the public’s need for a singular source for vulnerabilities has led to the popularity of MITRE’s CVE/NVD. It is this popularity that fuels the number one vulnerability myth: CVE/NVD is not the “official” source of published vulnerabilities. However, you could argue that it is the most used source.
Even though it may be the most used source, that doesn’t qualify it as the best source of vulnerability intelligence (even if a majority of organizations solely rely on it). The fact is that CVE/NVD has missed over 86,000 vulnerabilities, with many of them including major products/vendors and being high to critical in severity.
The reason for this intelligence gap is that CVE/NVD has systemic issues that prevent it from being a comprehensive, actionable, and timely source of vulnerability intelligence. We detailed those issues in our article, What is Vulnerability Discovery? but here is the main gist – CVE/NVD is not proactive in discovering and monitoring vulnerabilities. They only catalog vulnerabilities that are directly given to them.
Tune in for the next vulnerability myth, “You can’t give a CVSS score to a vulnerability without a CVE ID.” Spoiler alert, it’s false.
Subscribe to Risk Based Security to get email notifications whenever we release the latest security news and analysis.